c0c47f91e18fc087051c2172c74ae96e14e01fadb12af47d3e301e99e22da8c1

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetterShaders.exe
Size

168.8MB
MD5

26e51744ce941b55c7653e9ab229a18f
SHA1

bd08f0f5b3f64aba844128dfb2d77312bbef8b46
SHA256

3bcf3c61e80cc6346a8af84c89ca2c50a9eef2b6b915c6c73fff8725f1c6b118
SHA512

a308443b59a0a5713b99474e30f93a7f8cc98120c11c2f9f5884d5aa61bbf0073a6cfb1c67d676d64656988802fbf1bb8a1f5234df09b1fd2c36f5f7d3fed0a4
SSDEEP

1572864:du3SXrDDmfijsEGl0y+Mgp4cLTRN/33i/oHHl9sqPwqZdsJ2DWw3h9JByba/:/XX++LYYyba

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	BetterShaders.exe

Loads dropped DLL 1 IoCs

pid	Process
3892	BetterShaders.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ipapi.co
29	ipapi.co

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1632	cmd.exe
3964	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2832	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2844	taskkill.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3656	NOTEPAD.EXE
4660	NOTEPAD.EXE
3792	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3788	vlc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
3472	powershell.exe
3472	powershell.exe
2592	BetterShaders.exe
2592	BetterShaders.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3788	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	tasklist.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe
Token: SeShutdownPrivilege	3892	BetterShaders.exe
Token: SeCreatePagefilePrivilege	3892	BetterShaders.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3788	vlc.exe
3788	vlc.exe
3788	vlc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3788	vlc.exe
3788	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	vlc.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2232	3892	BetterShaders.exe	99
PID 3892 wrote to memory of 2232	3892	BetterShaders.exe	99
PID 2232 wrote to memory of 2832	2232	cmd.exe	101
PID 2232 wrote to memory of 2832	2232	cmd.exe	101
PID 3892 wrote to memory of 840	3892	BetterShaders.exe	102
PID 3892 wrote to memory of 840	3892	BetterShaders.exe	102
PID 840 wrote to memory of 2844	840	cmd.exe	104
PID 840 wrote to memory of 2844	840	cmd.exe	104
PID 3892 wrote to memory of 1632	3892	BetterShaders.exe	105
PID 3892 wrote to memory of 1632	3892	BetterShaders.exe	105
PID 1632 wrote to memory of 1592	1632	cmd.exe	107
PID 1632 wrote to memory of 1592	1632	cmd.exe	107
PID 3892 wrote to memory of 3964	3892	BetterShaders.exe	108
PID 3892 wrote to memory of 3964	3892	BetterShaders.exe	108
PID 3964 wrote to memory of 3472	3964	cmd.exe	110
PID 3964 wrote to memory of 3472	3964	cmd.exe	110
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 1288	3892	BetterShaders.exe	111
PID 3892 wrote to memory of 4512	3892	BetterShaders.exe	112
PID 3892 wrote to memory of 4512	3892	BetterShaders.exe	112
PID 3892 wrote to memory of 2592	3892	BetterShaders.exe	136
PID 3892 wrote to memory of 2592	3892	BetterShaders.exe	136

C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2140,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3624

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Passwords.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_cookies.zip\Microsoft_Default.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Autofills.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3792

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideUndo.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
68d80cc2ac40ea9e5c7297fba6623c45

SHA1
05908daef7414f753fa6006082c42485002a7da8

SHA256
3b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96

SHA512
2c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\57c9bfb3-4a0d-4cb3-a484-dd0ed82883c5.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autofills.txt

Filesize
90B

MD5
8fb196cd3b31b00bb8e35df5c490ade1

SHA1
cf7acf3dde5ba8f808be6025cf28dfe573120307

SHA256
969fd23147e88067565018fc4141eed85cd208906a8b878b098defeb4156ebf8

SHA512
1c101e51db23045dcaf2edf4e414099c3430951afb9625673197f1d21df7cded2c2bd43e02966571c6910d107a5a04b2461bc030e6babe9343090bf05ca63581

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passwords.txt

Filesize
71B

MD5
4d6eadc6c0ff2a52aae242512cface64

SHA1
58585d6d017a8c2a597d7b88e98825c59f3368c5

SHA256
d177217ce74775a6fdc5d0880f58da76105315c7bf732892b5e11e19c0175e09

SHA512
63fd17a1fec1efb41fce70b6b9130de215c63e1ed58a3169139b21cd32f84804d5fbfde5b76a894d83f2c71f8bf594cd855f823dc16ce984f2f3aec228759f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfafqys2.vmm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1592-14-0x000002D4EB740000-0x000002D4EB762000-memory.dmp

Filesize
136KB

Download
memory/1592-17-0x000002D4EBB40000-0x000002D4EBB90000-memory.dmp

Filesize
320KB

Download
memory/2592-92-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-94-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-95-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-96-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-97-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-93-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-91-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-85-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-86-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/2592-87-0x00000246B6270000-0x00000246B6271000-memory.dmp

Filesize
4KB

Download
memory/3788-79-0x00007FF951E00000-0x00007FF951E18000-memory.dmp

Filesize
96KB

Download
memory/3788-68-0x00007FF95FE90000-0x00007FF95FEA8000-memory.dmp

Filesize
96KB

Download
memory/3788-73-0x00007FF95B8B0000-0x00007FF95B8CD000-memory.dmp

Filesize
116KB

Download
memory/3788-71-0x00007FF95B9E0000-0x00007FF95B9F7000-memory.dmp

Filesize
92KB

Download
memory/3788-74-0x00007FF95B860000-0x00007FF95B871000-memory.dmp

Filesize
68KB

Download
memory/3788-72-0x00007FF95B9A0000-0x00007FF95B9B1000-memory.dmp

Filesize
68KB

Download
memory/3788-70-0x00007FF95C310000-0x00007FF95C321000-memory.dmp

Filesize
68KB

Download
memory/3788-69-0x00007FF95F410000-0x00007FF95F427000-memory.dmp

Filesize
92KB

Download
memory/3788-67-0x00007FF94B8B0000-0x00007FF94BB66000-memory.dmp

Filesize
2.7MB

Download
memory/3788-78-0x00007FF95B610000-0x00007FF95B631000-memory.dmp

Filesize
132KB

Download
memory/3788-80-0x00007FF951DD0000-0x00007FF951DE1000-memory.dmp

Filesize
68KB

Download
memory/3788-81-0x00007FF94BD40000-0x00007FF94BD51000-memory.dmp

Filesize
68KB

Download
memory/3788-82-0x00007FF94BD20000-0x00007FF94BD31000-memory.dmp

Filesize
68KB

Download
memory/3788-83-0x00007FF947000000-0x00007FF947035000-memory.dmp

Filesize
212KB

Download
memory/3788-84-0x000002509B900000-0x000002509BA13000-memory.dmp

Filesize
1.1MB

Download
memory/3788-77-0x00007FF9478D0000-0x00007FF948980000-memory.dmp

Filesize
16.7MB

Download
memory/3788-76-0x00007FF95B700000-0x00007FF95B741000-memory.dmp

Filesize
260KB

Download
memory/3788-75-0x00007FF94B6A0000-0x00007FF94B8AB000-memory.dmp

Filesize
2.0MB

Download
memory/3788-66-0x00007FF95B8D0000-0x00007FF95B904000-memory.dmp

Filesize
208KB

Download
memory/3788-65-0x00007FF7020B0000-0x00007FF7021A8000-memory.dmp

Filesize
992KB

Download